All processing of personal data must be subject to one of the following:
Necessity and proportionality are intrinsically linked key features applied throughout GDPR.
Necessity means the minimum and least intrusive processing required to satisfy the identified legitimate purpose, whereas the principle of proportionality requires consideration of appropriateness of processing (with or without safeguards) bearing in mind the principles of data protection. In other words, does the end justify the means.
Section 8 of the DPA 2018 assists with the meaning of ‘public interest’. It includes processing in the administration of justice.
When creating a Record of Processing Activities (Article 30) identify the appropriate lawful basis for the processing for each data flow. If relying on legitimate interests, carry out an assessment and record the findings
References:
Article 6 and Recitals (40) to (49) of the GDPR
Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/E
Section 8 of the DPA 2018 http://www.legislation.gov.uk/ukpga/2018/12/section/8/enacted
EDPB Guidelines on Consent 05/2020 EDPB Guidelines on Contract 02/2019
https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-22019-processing- personal-data-under-article-61b_en
EDPB Guidelines on proportionality https://edps.europa.eu/sites/edp/files/publication/19-12- 19_edps_proportionality_guidelines2_en.pdf
EDPB Guidelines on necessity https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en.pdf
ICO guidance including interaction of lawful bases with the application of rights and further links https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/lawful-basis-for-processing/